Github user mcgilman commented on the issue:
https://github.com/apache/nifi/pull/2990
@ijokarumawak Thanks for the update. I'm still in the process of reviewing
but one thing that concerns me is where we've identified Service Only in the
scenarios above. Currently (before the PR) the Enable case we allow the user to
specify if they want to enable just this service or this service and all
components that reference it (including other services and their referencing
components). During the Disable case, we require that the user disables this
service and all referencing components. This is because the referencing
components require this service's availability to continue running.
The issue that we're hitting now is that a user with permissions outlined
above with Service Only will be able to Enable this service but will be unable
to subsequently disable it. Because of this, I'm wondering if we need to be
even more strict to prevent this cases via the UI. I don't think its too
restrictive as this is more of a corner case. The more common use case here
will be granting operators permissions to the read policies and operation
policies for these components.
Thoughts?
---
